This invention relates generally to methods and systems for increasing the security of network-based transactions, and more particularly, to methods and systems for increasing the security of network-based transactions initiated from, and conducted on, mobile communications devices.
Man-in-the-browser attacks are generally conducted by imposters to perpetuate fraudulent network-based transactions. In such attacks the browser software is compromised such that after an authorized user gains access over the internet to a service provider system by, for example, entering a proper username and password, the compromised browser is able to intercept and manipulate communications between the authorized user and the server provider system. As a result, legitimate network-based transactions to the service provider system that are initiated by the user become morphed by the compromised browser software into fraudulent network-based transactions, unbeknownst to the user. This is possible because the compromised browser can convert all confirmation messages back from the service provider into messages that are consistent with what the user is expecting based on the original legitimate transaction. Thus, by virtue of providing authorizations for seemingly legitimate network-based transactions authorized users may unwittingly be providing authorization for fraudulent network-based transactions. Such fraudulent transactions may include transferring large sums of money from the authorized user's account to an account of the imposter. Because communications between the user and the service provider system seem proper while the fraud is perpetuated, users are unaware of the fraud and become unwitting participants in the fraudulent transaction.
Out-of-band communication techniques offer increased security against such man-in-the-browser attacks by virtue of using two different devices for communicating over two different channels while conducting network-based transactions. The different devices are generally a personal computer and a mobile communications device that execute different applications. Users typically operate the personal computer to initiate a network-based transaction with the service provider system and operate the mobile communications device to conduct an authentication transaction with an authentication system. The personal computer and the mobile communications device each define a different communications channel. Imposters conducting man-in-the browser attacks generally do not have access to both channels so it is significantly more difficult for them to compromise both communications channels. As a result, out-of-band communications techniques have been known to effectively defeat such man-in-the-browser attacks to thereby provide very high security for network-based transactions.
However, by virtue of requiring two different devices and associated channels, conducting network-based transactions using out-of-band techniques has been known to be inconvenient and expensive. Moreover, operating two different applications on the personal computer and the mobile communications device has been known to be difficult and confusing. As a result of rapid mobile communications device adoption rates, mobile communications devices are increasingly being used as the second out-of-band device to authenticate transactions. However, with more and more network-based transactions being initiated from mobile communications devices, this out-of-band protection is lost because the same mobile communications device is used for initiating and authenticating the transaction. Compromising this single mobile communications device has been known to render network-based transactions vulnerable to man-in-the-browser attacks. Consequently, network-based transactions initiated from, and conducted on, mobile communications devices have been known to enjoy less security than those conducted using out-of-band communication techniques.
Independent of the trend toward initiating more and more transactions from mobile communications devices, service providers have been known to integrate the authentication processes for personal computer based applications to make the overall business process easier for users. However, doing so does not offer the same protection as out-of-band communications techniques because attackers need compromise only one device to hack the system.